|
IT experts scramble to stop Melissa
IT managers across the country worked through the weekend, but the virus left few organizations untouched, in some cases hobbling businesses and government organizations. The frenetic activity paid off at United Parcel Service, for example, which spent all of Sunday preparing for the worst. "We had eight people here working most of the day Sunday," securing the company's computer systems and checking for vulnerabilities, said Marc Dodge, Internet and intranet systems manager for the package delivery company who reported success blocking the virus. To combat the virus, companies in some cases reverted to old school techniques. "We left paper notices on everyone's desks to get them before they read their e-mail," said Dennis M. Cooper, a computer tech with software maker ObjectSpace Inc. The 250-person company found its systems infected after Smith questioned why his senior manager was sending him pornographic Web site information, a symptom of the original virus message. "We wanted to make sure that no one got on their e-mail before being notified," said Cooper.
Harry Burkart, vice president and CIO of the Public Broadcasting System in Alexandria Va., said his organization prepared for Melissa as it would for any other virus -- PBS sent out a broadcast message Sunday to the approximately 2,000 users on its LAN, explaining what the virus was and how they should deal with it. As of midday Monday, Burkart had no reports of the virus getting on the LAN. "A few" of PBS' 40 IT staffers were in the office over the weekend making sure that Norton Anti Virus software would be ready Monday morning. Burkart said he first heard about the virus on Friday.
Disruptions bring warnings The warning from the FBI and National Infrastructure Protection Center marked the government's first major attempt to prevent a computer disaster. In a statement issued Sunday, the NIPC, a special unit created to protect the nation's information assets, said it had received "widespread reports" that the virus has propagated into commercial, government and military e-mail gateways and systems. Security experts characterized Melissa as the fastest-spreading computer virus they've ever encountered. They reported a mounting number of incidents, even as e-mail traffic underwent its traditional weekend slowdown. Officials of the Computer Emergency Response Team (CERT) at Carnegie Mellon University reported that by early Sunday evening more than 100 sites hade been hit by the virus. "These organizations have hundreds and thousands of machines that can't get e-mail," said Jeff Carpenter, the team leader for incident response. Carpenter said he expected "a major problem" when the workforce returned to work. And although it hasn't turned out to be the end of the world as we know it, the virus continues to create challenges for IT managers. What's more, there are increasing concerns that it might `morph' into something more insidious as copycats attempt to outdo Melissa's author.
How Melissa works
The macro prompts Microsoft's Outlook e-mail program to send a document to the first 50 addresses in a user's address book, under the subject line "Important Message From" and then the user's name. "Here is the document that you asked for," the text inside the message reads. "Don't show anyone else ;-)."
Even people who don't use Outlook are at risk. As long as Outlook is set up to send mail, the infected documents will be sent. In addition, the default Word template -- normal.dot, which acts as the basis of every new document that the user creates -- is infected with the code. Subsequent Word documents created by the user will also contain the virus.
The virus is thought to have originally spread through a posting on the alt.sex newsgroup that advertised the accompanying Word document as a list of passwords to various pornographic Web sites. A signature file included in the virus dubbed the nasty code as "Melissa" and identified the author by the handle "Kwyjibo."
Little damage, but spreads fast
"Because there's so much e-mail passing through a server, it's basically taking down the servers," said Srivats Sampath, a general manager of anti-virus firm MacAfee, a unit of Network Associates Inc.
Network managers scrambling
The FBI and NIPC issued its warning as a preventive measure. "E-mail users have the ability to significantly affect the outcome of this incident," said Michael Vatis, director of NIPC. "I urge (them) to exercise caution when reading their e-mail over the next few days and to bring unusual messages to the attention of their system administrator."
At Microsoft, the company suspended all incoming and outgoing Internet mail Friday. "We're a victim, like any other company on the outside," said a Microsoft spokesman.
The spokesman said Microsoft's product support division has been in contact all day via e-mail and phone with Microsoft's customers and partners, alerting them about the virus. "We made an IT (information technology) decision in the early afternoon and agreed it was pro-customer and pro-partner to shut down our Internet mail portion. As soon as we feel tight on this, probably in the next few hours, we will turn this back on and process all the mail in the queue."
A representative at Waggener Edstrom, Microsoft's public relations agency, which also was hit by the virus, according to several sources, acknowledged problems caused by a "malicious macro virus."
At least one division of Intel also reported problems resulting from the macro virus. A public relations spokesperson acknowledged that some of the company's e-mail servers had gone down as a result.
David Perry, who billed himself as a product marketing manager from antivirus company Trend Micro Inc. on a newsgroup posting, said he was called away from his vacation to deal with clients experiencing the virus. Yet another Netizen said her husband was at work until 11 p.m. dealing the virus, which apparently had attacked Motorola Corp.'s offices in Fort Worth, Texas.
Universities hit, too
Another network administrator came to Merritt with four messages sent in by various users. "Most of the messages started from the Bloomington campus," said Merritt. "They said 'Important Message From' such and such a professor, so it looked like they were coming from a legitimate sources."
While the network began to slow down, it never stopped. Instead, soon after the e-mails were discovered, the university took down its Microsoft Exchange servers -- servers that had only been installed a few weeks before. "The system slowed down a bit, but it really wasn't a problem until we had to take it down," said Merritt.
Multiply the reaction of Indiana University by hundreds, if not thousands, on Monday, and "Melissa" could rival the Cornell Internet Worm released in 1988.
Help stations on the Internet
Indiana University installed a filter that returns any e-mail containing the virus's signature subject line to the original sender, one of CERT's recommendations. The center also advised users to utilize virus scanners and to disable Microsoft Word macros.
Yet, the quickest fix, said Indiana University's Merritt, is a healthy dose of common sense. "If your PC asks you if it is alright to run a macro, just say no," he said. "It surprises me that users hit yes, when they know nothing about the document.
David Styka, the chief financial officer for ClickNet Inc., a small software developer in San Jose, Calif., says Melissa came to his attention after a female employee came to him, to complain about the pornographic attachment that had been forwarded to her from a customer. He thought he was dealing with a potential case of sexual harrassment.
Within minutes after his MIS manager opened the file as the first step in an investigation, they realized they had a virus on their hands, and it infected computers throughout the company within minutes.
He said his MIS manager was working the weekend to put the virus in check. The company shut down its mail server. "My MIS guy is going desktop to desktop to clear it out."
"This is really scary," Styka said. The reason: "I don't think anybody knows all the ramifications. Even though we're going desktop to desktop, we don't know if anyone has saved the file to their hard drive and will attempt to open it at some later date -- and start the infection all over again."
What's more, he wonders, "How many customers did we accidentally send this to -- and what are they going to think when they open it up on Monday morning?"
It's a question that's on a lot of peoples' minds.
Additional reporting for this story by Lisa Bowman, Patrick Houston, Charles Cooper and Sean Silverthorne of ZDNN, Mary Jo Foley of Sm@rt Reseller, John Rendleman, Carmen Nobel and Aileen Crowley of PC Week.
Company Finder:
For magazine subscription savings, risk-free trial issues, newsletters, and more, click here!
Copyright (c) 1999 ZDNet. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of ZDNet is prohibited. ZDNet and the ZDNet logo are trademarks of Ziff-Davis Publishing Company.
|